Executive Summary

Data Sharing Agreements (DSAs) are a key Statistics Canada business process. In recent years, data sharing has become a growing and increasingly complex area to manage. Ensuring confidentiality of data is becoming more complicated as business processes and organizational structures are continually changing. Health Statistics Division (HSD) of Statistics Canada enters into DSAs with provincial Health Ministries under the authority of section 12 of the Statistics Act.

Two new Omnibus agreements replacing existing DSAs were signed in November 2012 and April 2013 between Statistics Canada and the Saskatchewan Ministry of Health (the Ministry) for the collection and sharing of information from several selected health surveys. These DSAs allow for sharing of statistical health survey information obtained through the Canadian Community Health Survey (CCHS) and the National Population Health Survey (NPHS).

To protect the confidentiality and sensitive nature of the information collected, the DSAs contain terms and conditions (T&Cs) to ensure that confidentiality of information is not compromised.

The objective of this audit is to provide assurance to the Chief Statistician and Statistics Canada's Departmental Audit Committee that:

The terms and conditions of the Data Sharing Agreements between Statistics Canada and the Saskatchewan Ministry of Health are met.

The audit was conducted by Internal Audit Division in accordance with the Government of Canada's Policy on Internal Audit.

Key Findings

Authorities are defined and the Statistics Canada policy framework sets out clear roles, responsibilities and practices for the management and implementation of DSAs. However, when the Omnibus agreements were set-up and signed to replace existing DSAs in 2012 and 2013, HSD at Statistics Canada was not aware of the transfer of the Ministry's Data Warehouse Administration group, which supports its informatics services and combining records containing personal information, to eHealth Saskatchewan (eHealth) formed in 2010. Consequently, in November 2013, an amendment was made to both Omnibus agreements with the Ministry to allow the Ministry to share data with eHealth under The Health Information ProtectionAct of the Statutes of Saskatchewan, 1999. From 2011 to November 2013, HSD unknowingly, transmitted Statistics Canada health surveys to eHealth.

Practices and procedures within HSD at Statistics Canada should be strengthened to ensure that confidential information is only transmitted to the Saskatchewan Ministry's designated Data Custodian.

The audit found that practices and procedures at the Ministry should also be strengthened for the management of Statistics Canada DSAs to meet all the requirements prescribed in the T&Cs of the DSAs.

Significant turnover and lack of documented roles and responsibilities for the management of Statistics Canada DSAs at the Ministry elevates the risk of ineffective and inefficient processes being applied for data management.

The contract to share Statistics Canada confidential information with a provincial research organization was set-up by the Ministry without obtaining express written consent from Statistics Canada, and did not include an audit clause as required under the T&Cs of the Omnibus DSAs.

Access to Statistics Canada confidential information was provided to three Health Regions (HRs) in Saskatchewan for which Data-Sharing-Schedules were not set-up and signed in compliance with the requirements of the Ministry's Master Data Sharing Agreements with the HRs and the Omnibus DSAs.

At eHealth, internal protocols for the management and handling of confidential information are established and followed but formal approvals allowing eHealth to share data with third parties are not kept on file.

Assessment of electronic access privileges of Statistics Canada data files at eHealth revealed access controls to employees on a "need-to-know" basis require strengthening for compliance with the T&Cs of the DSAs, and the Information Management Service Provider (IMSP) Agreement between the Ministry and eHealth. Employees of a third party contractor providing services to the Ministry should sign the Ministry's Confidentiality Agreement in compliance with its Security Policy Framework.

Effective controls for physical access to the Ministry's premises and physical storage are in place. Logical access controls and effective practices for identification and authentication safeguards are in place and working as intended.

Overall Conclusion

Statistics Canada entered into statistical data-sharing agreements with the Ministry to assist and support health planning and decision making. The Omnibus DSAs include T&Cs governing the use, confidentiality, access, monitoring and compliance of information, and physical and information technology (IT) security.

While Statistics Canada's policy framework sets out clear roles, responsibilities and practices for the management and implementation of data sharing agreements, greater clarity of responsibilities and accountabilities, and strengthening of the practices and procedures within Statistics Canada are necessary for the sound management and protection of Statistics Canada confidential information.

The Ministry has started to establish a framework of practices and procedures to meet the requirements prescribed in the T&Cs of the new Omnibus DSAs, but these should be strengthened and implemented to ensure compliance with all of the requirements of the DSAs; the IMSP Agreement between the Ministry and eHealth; and the Ministry's internal policy framework. Documentation of the roles and responsibilities is also necessary at the Ministry and eHealth to ensure effective and efficient processes are applied for the management and handling of Statistics Canada data, and to prevent unwanted disclosure of the data. Audit observations did not reveal any evidence that Statistics Canada confidential information was compromised.

Conformance with Professional Standards

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.

Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this report and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The findings and conclusions are applicable to the entity examined and for the scope and time period covered by the audit.

Patrice Prud'homme
Chief Audit Executive

Introduction

Background

The Health Statistics Division (HSD) at Statistics Canada has the mandate to provide accurate, timely and relevant information about the health of Canadians. The HSD provides statistical information about the health of the population, the determinants of health, and the scope and utilization of Canada's health care resources. This information is used to assist and support health planners and decision-makers at all levels of government, to sustain demographic and epidemiological research, and to report to the Canadian public about their collective health and health care system. The HSD works in partnership with provincial and territorial vital statistics registrars and cancer registries as well as data providers and users at the federal level (Health Canada and the Public Health Agency of Canada), provincial level (provincial ministries of health), and the regional level (Health Regions).

To achieve its mandate, the HSD enters into statistical data-sharing agreements (DSAs) with other organizations under the authority of sections 11 and 12 of the Statistics Act. These agreements cover nearly all of the business surveys and a majority of household surveys, and enjoy certain exceptions regarding the release of confidential respondent information either with or without the respondent consent, provided that the legal requirements for the provision of data-sharing information, consent rights and confidentiality protection are respected by all parties. In general, data-sharing for statisticalpurposes occurs when statistical and information inquiry is initiated by joint survey partners, or where a common data resource is equally and jointly owned by two or more partners. Data-sharing is exercised when there are significant reductions in response burden and compliance costs for data-sharing partners, as well as improvements in statistical data accuracy, coverage, relevance and timeliness.

In recent years, DSAs have become a key business process and ensuring confidentiality and protection of data is a challenge. Currently, Statistics Canada has two agreements with the Saskatchewan Ministry of Health (the Ministry) covering health surveys, under the authority of section 12 and sub-section 17(2) of the Statistics Act. Health surveys for the Canadian Community Health Survey (CCHS), National Population Health Survey (NPHS) and Survey on Living with Chronic Diseases in Canada (SLCDC) are included in the agreements.

The CCHS is a cross-sectional survey which collects information related to health status, health care utilization and health determinants for the Canadian population. It is an annual survey which relies upon a large sample of respondents and is designed to provide reliable estimates at the health region level. The uniqueness of the survey arises from the regional nature of both content and survey implementation. These aspects allow for analysis of health data at a regional level, across Canada.

The NPHS is a longitudinal survey providing unique information about the health of Canadians. Every two years, the same individuals provide current and in-depth information on their physical and mental health status, use of health care services, physical activities, life in the workplace and social environment. It collects information related to the health of the Canadian population and related socio-demographic information.

The SLCDC is a cross-sectional survey sponsored by the Public Health Agency of Canada that collects information related to the experiences of Canadians with chronic health conditions. The SLCDC takes place every two years, with two chronic diseases covered in each survey cycle. The objectives of the survey are to assess the impact of chronic health conditions on quality of life; provide more information on how people manage their chronic health conditions; identify health behaviors which influence disease outcomes; and identify barriers to self-management of chronic health conditions.

The data are used extensively by the research community and other health professionals. Federal and provincial departments of health and human resources, social service agencies, and other types of government agencies use the information collected from the respondents to plan, implement and evaluate programs to improve health and the efficiency of health services. Non-profit health organizations and academic researchers use the information for research on ways to improve health.

Audit Objectives

The objective of the audit is to provide assurance to the Chief Statistician and Statistics Canada's Departmental Audit Committee that:

The terms and conditions of the Data Sharing Agreements between Statistics Canada and the Saskatchewan Ministry of Health are met.

Scope

The scope included an examination for compliance to the T&Cs prescribed in the DSAs to ensure that confidentiality of information and the sensitive nature of the information collected are protected. The audit focused on the confidentiality and security (physical access, IT storage and transmission, physical storage and information copying and retention and record management) safeguards at the Ministry to ensure that data is protected and confidentiality is maintained.

The scope of the audit examined all third party agreements and contracts entered into by the Saskatchewan Ministry of Health in 2013.

Approach and Methodology

The audit work consisted of an examination of documents, interviews with key Senior Management and personnel, and a review of compliance with relevant policies and guidelines. (See appendix A: Audit Criteria for details.)

The field work included the following:

A review and assessment of the processes and procedures outlined in the T&Cs of the DSAs with the Ministry, with emphasis on whether or not the security requirements are in place and complied with, and that confidentiality of data is maintained,

Testing of system application controls and authentication and access procedures, and

Review and testing of a sample of agreements and contracts with third parties.

This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.

Authority

The audit was conducted under the authority of the approved Statistics Canada integrated Risk-Based Audit and Evaluation Plan 2013/14 to 2017/18.

Findings, Recommendations and Management Response

Objective 1: The T&Cs of the Data Sharing Agreements (DSAs) between Statistics Canada and the Ministry are met.

Control Environment for the Management of the DSAs

Authorities are defined and the Statistics Canada policy framework sets out clear roles, responsibilities and practices for the management and implementation of DSAs. However, when the Omnibus agreements were set-up and signed to replace existing DSAs in 2012 and 2013, HSD at Statistics Canada was not aware of the transfer of the Ministry's Data Warehouse Administration group, which supports its informatics services and combining records containing personal information, to eHealth Saskatchewan (eHealth) formed in 2010. Consequently, in November 2013, an amendment was made to both Omnibus agreements with the Ministry to allow the Ministry to share data with eHealth under The Health Information ProtectionAct of the Statutes of Saskatchewan, 1999. From 2011 to November 2013, HSD unknowingly, transmitted Statistics Canada health surveys to eHealth.

Practices and procedures within HSD at Statistics Canada should be strengthened to ensure that confidential information is only transmitted to the Saskatchewan Ministry's designated Data Custodian.

Within the Ministry, practices and procedures should be strengthened for the management of Statistics Canada DSAs to meet all the requirements prescribed in the T&Cs of the DSAs.

All third party agreements and contracts entered into by the Ministry should contain an audit clause to be reflective of the requirements set forth in the Omnibus agreement.

Authorities, responsibilities and accountabilities should be clearly defined and understood at all levels to support effective management of the T&Cs of the Omnibus data sharing agreements. Monitoring of practices as outlined in the T&Cs of the Omnibus data sharing agreements should be in place to detect unwanted disclosures which would otherwise increase operational risk.

Authorities are defined

Statistics Canada exercises its mandate to enter into statistical data sharing agreements with other organizations under the authority of sections 11 and 12 of the Statistics Act. The statistical health survey information provided to the Saskatchewan Ministry of Health supports the Ministry in policy development, evaluating programs to improve health and the efficiency of health services, and sustaining demographic and epidemiological research.

The Directive on Data Sharing under Sections 11 and 12 sets out the roles and responsibilities for the development, implementation and monitoring requirements of DSAs. The Directive notes that Information Management Division (IMD), in consultation with Legal Services, is responsible for drafting data-sharing agreements when requested from directors of statistical programs. IMD is also required to support managers during the development of new or modified data-sharing agreements with receiving parties, pursuant to section 12 of the Statistics Act. Subject Matter Divisions are responsible for communication with recipient organizations during the negotiations and drafting of the agreements.

Statistics Canada replaced its existing DSAs with the Saskatchewan Ministry of Health (the Ministry) with Omnibus data sharing agreements signed on November 13, 2012 and April 12, 2013 for the collection and sharing of information from several selected health surveys.

The HSD is the liaison between Statistic Canada and the Ministry with responsibility for the implementation of the DSAs. The Data Access Services (DAS) section in HSD is the liaison between Statistics Canada and the Ministry for negotiating and drafting the agreements, and oversees the secure transmission of the prepared survey files to the Ministry.

At the time of drafting and signing the new Omnibus DSAs, HSD was not aware that the Ministry had transferred its Data Warehouse Administration group which supports its informatics services and combining records containing personal health information to eHealth. eHealth is a Treasury Board Crown corporation formed in 2010. The relationship between the Ministry and eHealth was formalized in an Information Management Service Provider (IMSP) Agreement in April 2011.

In November 2013, an amendment was made to both agreements with the Ministry to add an additional paragraph (6.2.5) allowing the Ministry to share data with eHealth under TheHealth Information Protection Act of the Statutes of Saskatchewan, 1999. From 2011 to November 2013, the Ministry provided Statistics Canada confidential information to eHealth even though they did not have a provision in the Omnibus DSAs that allowed them to do so. The Ministry did this as they had a legal requirement to use the services of eHealth for data management and record linkage. eHealth is dedicated to the management of all of the Ministry's health data and under the IMSP Agreement it does not use the health data for its own purposes.

Practices for the administration and management of the Data Sharing Agreements need to be strengthened at Statistics Canada

As per the Directive on Data Sharing Agreements under Section 11 and 12, the DAS section in HSD maintains a Contact Control register listing the province, official contact and electronic file transmission (e-FT) recipient, and date of confirmation of this information. A Transmission Control register is also maintained with a description of the survey name and file, reference period covered, password, location, recipient name, shipping date and confirmed receipt date.

Review of the Contact Control register revealed that the official contact and e-FT recipient was listed as a Data Warehouse Administrator at eHealth with a back-up who is also an employee of the Data Warehouse group at eHealth. There was no evidence of a date to confirm when the information had been updated.

Review of the Transmission Control register and interviews with the DAS section revealed, that even after the Data Warehouse Administration group was transferred from the Ministry to eHealth in 2010, the DAS section had not made a distinction between the two separate organizations and as a result continued to transmit Statistics Canada confidential information to the two official contacts listed in their Contact Control register, even though they were no longer employees of the Ministry, but employees of eHealth. Under the T&Cs of the Omnibus DSAs with the Ministry, Statistics Canada confidential information is to be transmitted directly to the Ministry's designated Data Custodian.

Responsibilities of the Data Custodian prescribed in the DSA for the management of Statistics Canada DSAs should be implemented

At the Ministry, functional responsibility for the administration and management of Statistics Canada confidential information – data receipt, handling, storage and transmission rests with the Director of Health Information Policy and Legislation Division, Risk and Relationship Management Branch, who is the designated Data Custodian and recipient for the Ministry.

Under the Omnibus agreement, the Data Custodian must implement the following three key requirements:

A Confidentiality Document

According to Appendix C in the Omnibus DSA, the Data Custodian will

"prepare a document for the use of the Receiving Party's employees and contractors, outlining the T&Cs governing the use of the Information, as well as the procedures to send, receive, handle and store the Information (hereinafter the "Confidential Document")."

Prior to granting access to Statistics Canada information, the Data Custodian must ensure that every employee and contractor who access the information has agreed in writing to comply with the terms of the DSA by signing and acknowledging that they have read, understood and agree to comply with the T&Cs of the DSA as highlighted in the Confidentiality Document.

The audit found that a Confidentiality Document has been drafted, but it has not been administered and signed by the Ministry employees and contractors with access to Statistics Canada confidential information.

A register of Data Files

The Data Custodian is required to maintain a register of all data files received from Statistics Canada which contains the following information: date received, file name and reference period, name of employee who received the file, name of employee at Statistics Canada who sent the file, employee responsible for safekeeping of the file, and the date the file was destroyed or returned to Statistics Canada.

The audit found that a template has been developed for this requirement, but it was blank and did not include a listing of all the data files received from Statistics Canada.

A register of Access to Data Files

The Data Custodian is required to maintain a register of all persons who have been granted access to the data files received from Statistics Canada by the Ministry which contains the following information: file name and reference year, name of employee or contractor to whom access has been given, justification for access, name of delegated manager who authorized access and date of authorization, and start and end dates of period for which access is authorized.

The audit found that a template has been developed for this requirement, but it was also blank and did not include a listing of all persons granted access to data files received from Statistics Canada.

As well, a User Guidelines for Selected Survey document has been developed which mirrors the T&Cs from Statistics Canada DSAs with the Ministry with respect to Data Sharing, Use of the Information, Access to the Information, Third Party Sharing and Monitoring and Compliance, but it too has not been implemented.

A third party contract entered into by the Ministry with a provincial research organization did not include an audit clause in compliance with the requirements of the DSAs

Clauses with respect to monitoring are prescribed by Statistics Canada in the Omnibus data sharing agreements. The Omnibus DSAs state that

"Statistics Canada shall have the right, when it determines necessary, to perform reviews of compliance with this Agreement"

The DSAs also prescribe that third party agreements entered into by the Ministry

"shall contain a clause stipulating the right of Statistics Canada or the Ministry (the Receiving Party) to review compliance with the terms of this Agreement".

The Ministry has Master Data Sharing Agreements with the thirteen HRs in Saskatchewan and the Data-Sharing-Schedules that accompany these include an audit clause. An audit clause is also included in the IMSP Agreement with eHealth and eHealth cooperated with the Ministry and Statistics Canada to review compliance with the T&Cs of the Omnibus DSAs. However, an audit clause was not included in a research contract that the Ministry has with a provincial research organization.

Recommendations:

The Assistant Chief Statistician Social, Health and Labour Statistics Field should ensure that:

Statistics Canada data is transmitted directly to the Data Custodian at the Ministry in compliance with T&Cs of the DSAs.

Management Response:

Management agrees with the recommendation.

The Director of HSD will confirm the identity and organization information of the designated Data Custodian at the Saskatchewan Ministry of Health and will update the two transmission forms (to be completed when confidential statistical files are transmitted to external receiving partners) with this information. These are Form 1 - Acknowledgement of Transfer for Director and Form 2 - Acknowledgement of Transfer by an External Receiving Party.

Deliverables and Timeline: Form 1 and 2 to be updated by April 2014.

The Assistant Chief Statistician Social, Health and Labour Statistics Field should communicate with the Ministry and ensure that:

The Data Custodian at the Ministry ensures compliance with all the requirements of the DSAs: that a Confidentiality Document is signed by employees and contractors prior to granting access to Statistics Canada data; a register of data files received from Statistics Canada is completed and maintained; and a register of all persons who have been granted access to those files is completed and maintained.

An audit clause is included in all the Ministry's third party agreements and contracts in compliance with the DSAs.

Management Response:

Management agrees with the recommendations.

The Assistant Chief Statistician will issue a letter to the Saskatchewan Ministry of Health, outlining the requirements of the data sharing agreement and reiterating the role and responsibilities of the Data Custodian. Additionally the letter will request a copy of the Ministry's Confidentiality Document; a copy of the completed register of data files received from Statistics Canada and a copy of the completed data-access register of all persons granted access to Statistics Canada data files.

Deliverables and Timeline: Letter to be prepared and sent by May 2014. As part of HSD's process for ongoing monitoring of access, HSD will request from the Ministry, every six months, a copy of their current and completed data-access register.

The Director of HSD will request copies of the Ministry's third party agreement templates and will review them for compliance to the terms and conditions of the data sharing agreement and will inform the Ministry of any gaps. Health survey information will only be provided after a thorough and satisfactory review of the third party templates. Senior management at Statistics Canada will be informed once the templates are compliant.

Deliverables and Timeline: Request to be sent by May 2014 and review to be completed immediately upon receipt of third party templates.

Data Stewardship

At the Ministry, significant turnover and lack of documented roles and responsibilities for the management of Statistics Canada DSAs elevates the risk of ineffective and inefficient processes being applied for data management.

At eHealth, internal protocols for data receipt, storage and transmission of Statistics Canada confidential information are established and followed, but formal approvals allowing eHealth to share data with third parties are not kept on file.

A contract to share Statistics Canada confidential information with a provincial research organization was set-up by the Ministry without obtaining express written consent from Statistics Canada in compliance with the requirements of the DSAs; and access to Statistics Canada confidential information was provided to three HRs in Saskatchewan for which Data-Sharing-Schedules were not set-up and signed in compliance with the requirements of the Ministry's Master Data Sharing Agreements with the HRs and the Omnibus DSAs.

Internal protocols and controls for the sound management of data should be in place to ensure the protection and safeguarding of Statistics Canada health survey information over the full lifecycle of the information.

Improvements are required for the management and handling of Statistics Canada confidential information at the Ministry and at eHealth

At the Ministry:

Operational administration and management of the DSAs remains with the Director, of Health Information Policy and Legislation Division, Risk and Relationship Management Branch at the Ministry - the designated Data Custodian for Statistics Canada confidential information. A Senior Policy analyst reporting to the Director is in charge of the day-to-day administration of the DSAs. Interviews revealed that there has been significant turnover in this group over the past couple of years, both at the Director level (three directors in two years) and at the analyst level. Also, the Senior Policy analyst was on extended leave during our audit. The Director was performing both duties and confirmed that the roles and responsibilities for the Analyst's position were not documented. The lack of clearly documented and communicated roles and responsibilities and employee turnover elevates the risk of ineffective and inefficient processes being applied for data management.

At eHealth Saskatchewan:

As part of the audit, a walkthrough of the processes and procedures for data receipt, storage and transmission of Statistics Canada data files was conducted. It was noted that detailed instructions exist for data receipt, storage and transmission, and are being followed by two employees of the Data Warehouse Administration group. The audit noted that they have an understanding of their roles and responsibilities but these have not been documented or communicated.

A review of the directory where Statistics Canada original encrypted data files received through e-FT are stored, revealed that they are downloaded in eHealth's statistical analysis system and database servers and require a separate password from the password that was used to log on to the network. The audit noted that logs of all the information received from Statistics Canada and transmitted to third party recipients are maintained electronically by the Data Warehouse group. The electronic logs maintain a register of the files sent, the recipient, contact name and information, and the date sent.

Interviews revealed that the Data Warehouse Administration group will only share Statistics Canada health information to either internal or external recipients after receiving approval from the Data Custodian. However, there was no evidence of these approvals because they are done informally.

Third party sharing by the Ministry is not always in compliance with the requirements of the DSAs

The Ministry can provide access to Statistics Canada confidential health survey information to third parties under the following five provisions:

Researchers working under contract directly for the Ministry to provide a survey-related product or service for the sole benefit of the Ministry.

Another organization that has entered into a DSA with Statistics Canada for the same survey and the same survey reference years.

eHealth under Health Information Protection Act of the Statutes of Saskatchewan, 1999 for the purposes of providing informatics services and combining records containing personal health information, provided that eHealth is working under contract directly for the Ministry to provide a survey-related product or service for their sole benefit and mandate.

The Ministry did not have any contracts with researchers, or with any organizations that have entered into a DSA with Statistics Canada. An IMSP Agreement was in place with eHealth.

Provincial/territorial or university research institutes working under contract directly for the Ministry to provide a survey-related product or service for the sole benefit of the Ministry.

The audit found that the Ministry had a contract with a provincial research corporation. The audit noted that one of the requirements stipulated in the DSA for setting up a contract with a provincial research institute is that:

"The Receiving party may provide access to the Information, to a recognized research institute or organization, provided that express written consent has been obtained from Statistics Canada prior to the contractual arrangement having been formalized between the Receiving Party and the research institute/organization".

Interviews revealed that the Ministry did not obtain an express written consent from Statistics Canada for this contract.

A copy of the contract has since been provided to HSD by IA for review. IA was informed by HSD that they would have provided their written consent to the Ministry for the existing contract, as it met the necessary confidentiality related concerns and all of the requirements of Statistics Canada. IA reviewed one of the files shared with the provincial research corporation and noted that no personal identifiers were shared with them as per the DSA.

To thirteen Saskatchewan HRs. However, Statistics Canada health survey information can only be provided to the HRs if the respondents were notified that their survey responses would be provided to HRs in their province of residence. Otherwise, the HR can only work under contract for the Ministry to provide a survey-related product or service for the sole benefit of the Ministry.

The audit found that the Saskatchewan Ministry of Health has entered into Master Data Sharing Agreements with the HRs in Saskatchewan, for a period of five years which can be continued on a month-to-month basis, unless otherwise terminated. Review of the Master Data Sharing Agreement revealed that it sets out the administrative conditions for sharing data with the HRs.

One of the administrative conditions in the Master Data Sharing Agreement stipulates that before data can be shared with a HR

"a separate request for data must be established in writing in a schedule called a 'Data-Sharing-Schedule' and must state that they were set-up pursuant to the Master Data Sharing Agreement and will become effective only upon execution by the authorized personnel of both parties".

When access to Statistics Canada confidential information is on the premises of the HR, HRs are required to sign Data-Sharing-Schedules that are reflective of the T&Cs from the Statistics Canada DSAs with respect to Access, Use and Security of shared information; Confidentiality; Sharing with a third party; and physical and IT security. This is in compliance with the requirement in the DSAs that

"HRs must undertake by a written agreement or contract to comply with the terms of the DSA with Statistics Canada, and to implement the required security measures set out in appendix 'A' of the DSA with Statistics Canada".

The audit found that in 2013, six Statistics Canada data files were shared by the Ministry with access on the premises of three HRs, but Data-Sharing-Schedules for each separate request had not been set-up and signed with the HRs by the Ministry. IA reviewed one of the files shared with one of the HRs and noted that no personal identifiers were shared with them as per the DSAs.

Recommendations:

The Assistant Chief Statistician Social, Health and Labour Statistics Field should communicate with the Ministry and ensure that:

Roles and responsibilities for the management and handling of Statistics Canada health survey information should be documented and communicated to employees both at the Ministry and at eHealth.

The Ministry should maintain formal approvals on file allowing eHealth to share data with third parties.

Data-Sharing-Schedules should be established with the HRs in compliance with the Ministry's requirement under its Master Data Sharing Agreement and Statistics Canada DSAs.

Express written consent should be received from Statistics Canada prior to arranging a contract with a recognized provincial institute or research organization.

Management Response:

Management agrees with the recommendations.

The Assistant Chief Statistician will issue a letter to the Saskatchewan Ministry of Health, requesting a list of the Ministry and eHealth employees with access to Statistics Canada health survey information and their roles and responsibilities in terms of handling Statistics Canada information. The letter will also request the Ministry's plan for documenting and communicating the roles and responsibilities with respect to the management and handling of Statistics Canada health survey information.

The Ministry will be requested to establish Data-Sharing Schedules with Health Regions for sharing Statistics Canada health survey information in compliance with the Ministry's requirements under its Master Data Sharing agreement and Statistics Canada DSAs and provide copies of the schedules to HSD.

The Assistant Chief Statistician will reiterate the Ministry's responsibility to maintain formal approvals on file and to receive express written consent from HSD prior to arranging a contract with a recognized provincial institute or research organization.

Deliverables and Timeline: Letter to be prepared and sent by May 2014. Copies of all Data-Sharing Schedules with Health Regions for sharing Statistics Canada health survey information will be requested.

Physical and Information Technology Security

Assessment of electronic access privileges of Statistics Canada data files at eHealth revealed access controls to employees on a "need-to-know" basis require strengthening for compliance with the T&Cs of the DSAs, and the IMSP Agreement between the Ministry and eHealth. Employees of a third party contractor providing services to the Ministry should sign the Ministry's Confidentiality Agreement in compliance with its Security Policy Framework.

Effective controls for physical access to the Ministry's premises and physical storage are in place. Logical access controls and effective practices for identification and authentication safeguards are in place and working as intended.

Control and protection of information, either physically or electronically, should be executed in a manner that protects against loss, theft, compromise or improper disclosure. Access to the data should only be given to employees or contractors on a "need-to-know" basis as part of their duties.

Physical access is secure

The Data Warehouse Administration group at eHealth is housed in the same premises as the Ministry. A physical inspection of the Ministry's site revealed that physical access to the Ministry's premises is secured by locked doors with a card scanner outside each set of doors in the building where employees must swipe their key fobs to enter. Visitors must sign in at the front desk and be escorted at all times.

Physical storage of Statistics Canada information is secure

Statistics Canada data resides within eHealth's secured IT system (data warehouse servers). The eHealth servers are located in an 1,800 square foot facility in a separate building with 24/7 security. Passcard access into the secured server room is available only to authorized personnel of eHealth. No guest passcard access is allowed. Visitors must sign in at the front desk and be escorted at all times by authorized personnel. Walls, floor and ceiling of the server room are protected by wire mesh and cameras are also located in the server room to log entry and access to the servers. Security tapes are retained for ninety days and an access log is reviewed monthly by the Director.

Network access to Statistics Canada data files are not compliant with the policy framework of the Ministry and eHealth, and with the T&Cs of the DSAs

Network access privileges are requested through eHealth's Service Desk. eHealth employees must complete a Network Account Authorization form for access to the networks they require and obtain their manager's approval. A similar form must be completed by the manager when the removal of access privileges upon an employee's change of duties or termination of employment is required.

The T&Cs of the DSAs, stipulate that access to Statistics Canada confidential information at the Ministry is to be granted on a need-to-know basis, to employees whose work responsibilities require such access in order for the Ministry to meet its statistical and research needs. In addition, the IMSP Agreement between the Ministry and eHealth, states that

"eHealth may access and use information on a need-to-know basis as expressly authorized by the Ministry for the sole and express purpose of fulfilling its obligations under the Agreement".

The audit tested this requirement by reviewing who has access privileges to the directory where Statistics Canada data files are stored, the purpose, and frequency. Two employees in the Data Warehouse Administration group at eHealth have direct responsibility for Statistics Canada data files which involved data receipt, storage, and transmission to internal and external users. However, access to the database server on which Statistics Canada data files are stored was provided to all seven employees of the Data Warehouse group for cross-training and back-up purposes.

Section 8.1.1 of the Ministry's Security Policy Framework states that

"an employee of a Ministry of Health third party contractor is required to sign a Confidentiality Agreement prior to providing services to the Ministry of Health".

This requirement is separate from the Confidentiality Document prescribed in the Omnibus DSAs for administration by the Data Custodian prior to granting access to Statistics Canada data.

The audit found that all of the seven employees of the Data Warehouse Administration group that were former employees of the Ministry and are now employees of eHealth and providing services to the Ministry have not signed a Confidentiality Agreement with the Ministry.

Security measures exist for identification and authentication safeguards, IT storage and data transmission

Through testing, the audit revealed that data files are managed through server set-up and directory access rules at eHealth to ensure that access is only by those that have been authorized. Data files are received directly from Statistics Canada through e-FT and stored on a database server. Logical access controls exist at the device level for all workstations and at the system level for all database servers. Data is not stored on individual workstations. eHealth transmits data to external users through secure file transfer which is encrypted, and the data files are zipped and password protected.

Information stored on the database servers is backed-up daily on encrypted tapes which are stored offsite in a secured building for thirty days and then rotated to an off-site private storage company. Review of both eHealth and the Ministry's Security Policy Frameworks revealed that their security policies prohibit the transmission of data through fax or emails and data cannot be stored on transportable media devices (i.e. CD-ROMs, USB sticks, hard drives, or laptops). Data is not to be removed from the premises with the exception of the transfer to third parties and to the offsite storage company and it is not to be reproduced. A private shredding company is used for the secure disposal of confidential information.

Recommendations:

The Assistant Chief Statistician Social, Health and Labour Statistics Field should communicate with the Ministry and ensure that:

Access to Statistics Canada data at eHealth is restricted to employees on a "need-to-know" basis in compliance with the T&Cs of the DSAs, and the IMSP Agreement between the Ministry and eHealth.

Employees of a Ministry of Health third party contractor providing services to the Ministry of Health should sign the Ministry's Confidentiality Agreement in compliance with its Security Policy Framework.

Management Response:

Management agrees with the recommendations.

The Assistant Chief Statistician will issue a letter to the Saskatchewan Ministry of Health to remind the Ministry that access to Statistics Canada data at eHealth is restricted to employees on a "need-to-know" basis in compliance with the T&Cs of the DSAs, and the IMSP Agreement between the Ministry and eHealth.

The Ministry will also be reminded of the requirement to have all third party contractors sign the Confidentiality Agreement and the Ministry will be asked to confirm that all third party contractors have signed the Confidentiality Agreement.

Deliverables and Timeline: Letter to be prepared and sent by May 2014 and confirmation that all third party contractors have signed the Confidentiality Agreement be sent to HSD by June 2014.

As part of HSD's process for ongoing monitoring of access, HSD will request every six months from the Ministry a list of the Ministry and eHealth employees with access to Statistics Canada health survey information, including their roles and responsibilities.

Appendices

Appendix A: Audit Criteria

Appendix A: Audit Criteria

Control Objective / Core Controls / Criteria

Sub-Criteria

Policy Instrument

The T&Cs of the Data Sharing Agreements (DSAs) between Statistics Canada and the Ministry are met.

1.1 Authorities, responsibilities and accountabilities, are defined, communicated, and the segregation of duties is appropriately established.

1.1.1 Responsibilities are formally defined and clearly communicated.

1.1.2 Authority is formally delegated and delegated authority is aligned with individuals' responsibilities. Where applicable, incompatible functions are not combined.

1.2 The Ministry has established an appropriate framework to manage the requirements set out in the DSAs.

1.2.1 Processes are in place to fulfill the requirements set out in the DSAs.

1.2.2 Processes are understood and are complied with.

1.2.3 Compliance with processes is monitored.

2.1 Management at the Ministry identifies, assesses the appropriateness of existing controls to effectively manage its risks, and responds to the risks that may preclude the achievement of its objectives.

2.1.1 Risks are identified.

2.1.2 Formal processes and guidelines exist to assess the effectiveness of controls in place to manage identified risks.

2.1.3 Management formally responds to and monitors its risk exposure.

3.1 Assets are protected at the Ministry.

3.1.1 Access to data is limited to authorized individuals and is appropriately secured in compliance with the Data Sharing Agreements (DSAs).

3.1.2 Access is physicallyRestricted.

3.1.3 Procedures exist to safeguard the shared data upon termination of an agreement.

3.1.4 Procedures exist to protect the use of data from abuse or fraud.

3.2 Appropriate system application controls exist at the Ministry.

3.2.1 Logical access controls exist to ensure access to systems and data, is restricted to authorized users, e.g., systems require users to logon using unique user name and password.

3.2.2 Authentication and access procedures and mechanisms exist for and are applied in order to keep authentication and access mechanisms effective.

4.1 Management monitors actual performance against planned results, and adjusts course as needed, to better address the requirements/ needs of the program.

4.1.1 Responsibility for monitoring is clear and communicated and results are reported to required authority levels.